620b24f1b729b9777300ed6df2a8f0965034c51d427e10d6249f7951d3bc4418

Analysis

max time kernel
151s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

620b24f1b729b9777300ed6df2a8f0965034c51d427e10d6249f7951d3bc4418.exe
Size

5.3MB
MD5

4bfdbc4a5c8b514a5246958bdcce67ed
SHA1

5eed6c59bfa6e3091dbd9aa525d82062e1dd41e9
SHA256

620b24f1b729b9777300ed6df2a8f0965034c51d427e10d6249f7951d3bc4418
SHA512

41006c6304462a6153d854811aed3965693be8fd72eb89e31403dde6a661d4c1746baf4c27943735a4d03785dbe453114311ea4c6d19ed5cfd132c936942da88
SSDEEP

98304:/WMWo9J2sFR7ywufiKW3braCZWk62bDwjNdUmrr+F49bvKqZrQGbXKrA3:+ML9kngP9wjvUmP+F49bvKqtQXA3

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4336	MeiPin.exe
4936	MeiPin.exe
4944	MeiPin.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	620b24f1b729b9777300ed6df2a8f0965034c51d427e10d6249f7951d3bc4418.exe

Loads dropped DLL 1 IoCs

pid	Process
2588	620b24f1b729b9777300ed6df2a8f0965034c51d427e10d6249f7951d3bc4418.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MeiPin\MeiPin.exe	620b24f1b729b9777300ed6df2a8f0965034c51d427e10d6249f7951d3bc4418.exe
File created	C:\Program Files (x86)\MeiPin\mpkn.exe	620b24f1b729b9777300ed6df2a8f0965034c51d427e10d6249f7951d3bc4418.exe
File created	C:\Program Files (x86)\MeiPin\uninst.exe	620b24f1b729b9777300ed6df2a8f0965034c51d427e10d6249f7951d3bc4418.exe
File created	C:\Program Files (x86)\MeiPin\ÃÀÆ·¿´Í¼.lnk	620b24f1b729b9777300ed6df2a8f0965034c51d427e10d6249f7951d3bc4418.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
5048	taskkill.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\MeiPin.PhotoViewer\shell\open\command	MeiPin.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\MeiPin.PhotoViewer\shell	MeiPin.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\MeiPin.PhotoViewer\shell\open	MeiPin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\MeiPin.PhotoViewer\shell\open\command\ = "\"C:\\Program Files (x86)\\MeiPin\\MeiPin.exe\" \"%1\""	MeiPin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\MeiPin.PhotoViewer\DefaultIcon\ = "%systemroot%\\SysWow64\\imageres.dll,-72"	MeiPin.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\MeiPin.PhotoViewer	MeiPin.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\MeiPin.PhotoViewer\shell\open\command	MeiPin.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\MeiPin.PhotoViewer\shell\open\command	MeiPin.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\MeiPin.PhotoViewer\DefaultIcon	MeiPin.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5048	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe
4944	MeiPin.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4336	MeiPin.exe
4936	MeiPin.exe
4944	MeiPin.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 4336	2588	620b24f1b729b9777300ed6df2a8f0965034c51d427e10d6249f7951d3bc4418.exe	79
PID 2588 wrote to memory of 4336	2588	620b24f1b729b9777300ed6df2a8f0965034c51d427e10d6249f7951d3bc4418.exe	79
PID 2588 wrote to memory of 4336	2588	620b24f1b729b9777300ed6df2a8f0965034c51d427e10d6249f7951d3bc4418.exe	79
PID 2588 wrote to memory of 5048	2588	620b24f1b729b9777300ed6df2a8f0965034c51d427e10d6249f7951d3bc4418.exe	80
PID 2588 wrote to memory of 5048	2588	620b24f1b729b9777300ed6df2a8f0965034c51d427e10d6249f7951d3bc4418.exe	80
PID 2588 wrote to memory of 5048	2588	620b24f1b729b9777300ed6df2a8f0965034c51d427e10d6249f7951d3bc4418.exe	80
PID 2588 wrote to memory of 4936	2588	620b24f1b729b9777300ed6df2a8f0965034c51d427e10d6249f7951d3bc4418.exe	82
PID 2588 wrote to memory of 4936	2588	620b24f1b729b9777300ed6df2a8f0965034c51d427e10d6249f7951d3bc4418.exe	82
PID 2588 wrote to memory of 4936	2588	620b24f1b729b9777300ed6df2a8f0965034c51d427e10d6249f7951d3bc4418.exe	82
PID 2588 wrote to memory of 4944	2588	620b24f1b729b9777300ed6df2a8f0965034c51d427e10d6249f7951d3bc4418.exe	83
PID 2588 wrote to memory of 4944	2588	620b24f1b729b9777300ed6df2a8f0965034c51d427e10d6249f7951d3bc4418.exe	83
PID 2588 wrote to memory of 4944	2588	620b24f1b729b9777300ed6df2a8f0965034c51d427e10d6249f7951d3bc4418.exe	83

C:\Users\Admin\AppData\Local\Temp\620b24f1b729b9777300ed6df2a8f0965034c51d427e10d6249f7951d3bc4418.exe
"C:\Users\Admin\AppData\Local\Temp\620b24f1b729b9777300ed6df2a8f0965034c51d427e10d6249f7951d3bc4418.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Local\Temp\nsr99E4.tmp\MeiPin.exe
  C:\Users\Admin\AppData\Local\Temp\nsr99E4.tmp\MeiPin.exe /fix
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4336
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /im mvyd.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5048
- C:\Program Files (x86)\MeiPin\MeiPin.exe
  "C:\Program Files (x86)\MeiPin\MeiPin.exe" /reg
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4936
- C:\Program Files (x86)\MeiPin\MeiPin.exe
  "C:\Program Files (x86)\MeiPin\MeiPin.exe" /A
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MeiPin\MeiPin.exe

Filesize
1.4MB

MD5
7a89f6f1001f0c9368a7e1aa22c9cc18

SHA1
356984da6f1e6a2367b8b462bd797dda4a15e984

SHA256
85ffba9385716c6f5ea16ab86c2f551ca6aa3e274d763f4d34e2ac84b3ae8365

SHA512
ac35393674bf76e029506cc508f6427687727e9623b6e4276233f055e5f93808a89661745a041426438c2b8a82420885bfb15aca0b7e505087b00d3e8d4a9f76

Download Submit
C:\Program Files (x86)\MeiPin\MeiPin.exe

Filesize
1.4MB

MD5
7a89f6f1001f0c9368a7e1aa22c9cc18

SHA1
356984da6f1e6a2367b8b462bd797dda4a15e984

SHA256
85ffba9385716c6f5ea16ab86c2f551ca6aa3e274d763f4d34e2ac84b3ae8365

SHA512
ac35393674bf76e029506cc508f6427687727e9623b6e4276233f055e5f93808a89661745a041426438c2b8a82420885bfb15aca0b7e505087b00d3e8d4a9f76

Download Submit
C:\Program Files (x86)\MeiPin\MeiPin.exe

Filesize
1.4MB

MD5
7a89f6f1001f0c9368a7e1aa22c9cc18

SHA1
356984da6f1e6a2367b8b462bd797dda4a15e984

SHA256
85ffba9385716c6f5ea16ab86c2f551ca6aa3e274d763f4d34e2ac84b3ae8365

SHA512
ac35393674bf76e029506cc508f6427687727e9623b6e4276233f055e5f93808a89661745a041426438c2b8a82420885bfb15aca0b7e505087b00d3e8d4a9f76

Download Submit
C:\Users\Admin\AppData\LocalLow\MeiPin\Setup.ini

Filesize
25B

MD5
65118ba3a9d9cd17a96b7c16c7c85bce

SHA1
4c9bcdb65c54c2cb9897225bd4c478eaa201d82b

SHA256
f8edcb1a41a2bd85dccbad37535d0e9963ffddbd8b1ac333f0038b26919c32bb

SHA512
5e9d90bcca0ad1600c26f9d717d5b7e372f6e2e05caacf872c3fc06361ab7818fe7f3a059f632429b139e281118de91592edf89b675a0804a723f422089a1d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr99E4.tmp\MeiPin.exe

Filesize
1.4MB

MD5
7a89f6f1001f0c9368a7e1aa22c9cc18

SHA1
356984da6f1e6a2367b8b462bd797dda4a15e984

SHA256
85ffba9385716c6f5ea16ab86c2f551ca6aa3e274d763f4d34e2ac84b3ae8365

SHA512
ac35393674bf76e029506cc508f6427687727e9623b6e4276233f055e5f93808a89661745a041426438c2b8a82420885bfb15aca0b7e505087b00d3e8d4a9f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr99E4.tmp\MeiPin.exe

Filesize
1.4MB

MD5
7a89f6f1001f0c9368a7e1aa22c9cc18

SHA1
356984da6f1e6a2367b8b462bd797dda4a15e984

SHA256
85ffba9385716c6f5ea16ab86c2f551ca6aa3e274d763f4d34e2ac84b3ae8365

SHA512
ac35393674bf76e029506cc508f6427687727e9623b6e4276233f055e5f93808a89661745a041426438c2b8a82420885bfb15aca0b7e505087b00d3e8d4a9f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr99E4.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/4336-133-0x0000000000000000-mapping.dmp

Download
memory/4936-137-0x0000000000000000-mapping.dmp

Download
memory/4944-139-0x0000000000000000-mapping.dmp

Download
memory/5048-136-0x0000000000000000-mapping.dmp

Download